CVE-2021-46876 – ezsystems/ezpublish-kernel

Package

Manager: composer
Name: ezsystems/ezpublish-kernel
Vulnerable Version: >=6.13.0 <6.13.8.1 || >=7.5.0 <7.5.15.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00186 pctl0.40643

Details

User account enumeration in eZ Publish Ibexa Kernel This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

Metadata

Created: 2023-03-12T06:30:21Z
Modified: 2025-03-05T19:26:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-89p3-9j8c-fqh4/GHSA-89p3-9j8c-fqh4.json
CWE IDs: ["CWE-203"]
Alternative ID: GHSA-89p3-9j8c-fqh4
Finding: F047
Auto approve: 1